I'm *way* behind on my e-mail (what else is new) so please pardon me if
any of these responses seem out of order.

A few comments:

- First, there is a product that I've started poking at by Captus Networks
called "CaptIO" that is designed to help stop DoS attacks.
(http://www.captusnetworks.com/.) Now, before you hop over to their site
know that a lot of their marketing literature will make you want to puke.
At least, I had some serious gag reactions the first time I read all of
that crap. (read: don't kill the messenger!) However, underneath the BS
the device is actually kind of cool. It's embedded Linux, and while it
won't stop all DDoS attacks, IMHO it is useful. We've started working
with it and testing it, and IMHO it shows promise. It is not a
bullet-proof solution though. As was already stated, there is no easy
(any?) solution to the DDoS problem.

- Second, my .02 on the whole "shunning thing." My understanding is that
there are fundamentally two ways that most commercial IDS solutions
(today) go about shunning:

a) re-programming a device such as a router or firewall. I've seen this
done a few ways, but the most common are through something like
Checkpoint's OPSEC (this is what RealSecure does) or expect (or other)
scripting languages. Personally, I think it's humorous seeing an IDS
device *TELNET* to a Cisco router to reprogram an ACL. That just doesn't
sit right with me. But we'll get back to this.

b) Issuing TCP resets, as was pointed out by Kevin (Timm) in an earlier
message. By spoofing RST packets an IDS can effectively shutdown TCP
sessions.

---------------------------------

Regardless of what shunning solution one is investigating, I've always
thought shunning was an EXTREMELY dangerous feature. Agreeing with what
Sid posted, depending on your configuration it's possible to create your
own little internal DoS platform. Where we (Neohapsis) have ID systems
deployed we typically get 1,000->2,000 alerts per day. Out of these, I'd
venture to say only a handful are relevant. More importantly, we'll get
triggers on obscure signatures once in a while that I do NOT believe to be
valid. Now, if we shunned based on every signature fire, our IDS
deployment could easily become the network administrator's worst
nightmare.

So I guess my .02 is that if you are going to shun, you better make damn
sure that: a) the signature doesn't false - ever, and b) that the
signature is TCP/state based, so it's not easily spoofed. And even then
I'd be nervous....but that's just me.

For whatever its worth,

-Greg

P.S. There was a shunning convo on the "other" IDS list last year (4Q?),
for anyone who is interested. There are archives here:
http://archives.neohapsis.com/archives/ids/ - you might have to dig a bit
though.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]